CVE-2024-1387: CWE-862 Missing Authorization in thehappymonster Happy Addons for Elementor
The Happy Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to insufficient authorization on the duplicate_thing() function in all versions up to, and including, 3.10.4. This makes it possible for attackers, with contributor-level access and above, to clone arbitrary posts (including private and password protected ones) which may lead to information exposure.
AI Analysis
Technical Summary
CVE-2024-1387 is a missing authorization vulnerability (CWE-862) in the Happy Addons for Elementor WordPress plugin. The duplicate_thing() function does not properly restrict access, enabling authenticated users with contributor-level permissions or higher to clone posts they should not be authorized to duplicate. This includes private and password-protected posts, which can lead to unauthorized data exposure. The vulnerability affects all plugin versions up to 3.10.4. The CVSS 3.1 base score is 4.3, reflecting a network attack vector, low complexity, requiring privileges, no user interaction, and limited confidentiality impact.
Potential Impact
An attacker with contributor-level or higher access can clone arbitrary posts, including private and password-protected content. This unauthorized duplication can lead to exposure of sensitive or restricted information. The vulnerability does not affect integrity or availability, and no known active exploits have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only and monitor for suspicious activity related to post duplication. Avoid granting contributor or higher privileges broadly. Follow updates from thehappymonster for any official patches or temporary mitigations.
CVE-2024-1387: CWE-862 Missing Authorization in thehappymonster Happy Addons for Elementor
Description
The Happy Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to insufficient authorization on the duplicate_thing() function in all versions up to, and including, 3.10.4. This makes it possible for attackers, with contributor-level access and above, to clone arbitrary posts (including private and password protected ones) which may lead to information exposure.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-1387 is a missing authorization vulnerability (CWE-862) in the Happy Addons for Elementor WordPress plugin. The duplicate_thing() function does not properly restrict access, enabling authenticated users with contributor-level permissions or higher to clone posts they should not be authorized to duplicate. This includes private and password-protected posts, which can lead to unauthorized data exposure. The vulnerability affects all plugin versions up to 3.10.4. The CVSS 3.1 base score is 4.3, reflecting a network attack vector, low complexity, requiring privileges, no user interaction, and limited confidentiality impact.
Potential Impact
An attacker with contributor-level or higher access can clone arbitrary posts, including private and password-protected content. This unauthorized duplication can lead to exposure of sensitive or restricted information. The vulnerability does not affect integrity or availability, and no known active exploits have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only and monitor for suspicious activity related to post duplication. Avoid granting contributor or higher privileges broadly. Follow updates from thehappymonster for any official patches or temporary mitigations.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-02-08T21:55:18.323Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6d2db7ef31ef0b56ea50
Added to database: 2/25/2026, 9:44:13 PM
Last enriched: 4/9/2026, 7:00:15 AM
Last updated: 4/12/2026, 3:35:41 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.